Changeset 448

Timestamp:

07/16/05 13:25:38 (8 years ago)

Author:

ahu

Message:

documentation, ldap fixes for bug #17

Location:

trunk/pdns

Files:

• modules/ldapbackend/ldapbackend.cc (modified) (7 diffs)
• pdns/docs/pdns.sgml (modified) (9 diffs)

trunk/pdns/modules/ldapbackend/ldapbackend.cc

@@ -126 +126 @@
         string dn;
         string filter;
-
+    string qesc;
+
+
+        dn = getArg( "basedn" );
+        qesc = toLower( m_pldap->escape( target ) );
 
         // search for SOARecord of target
-        dn = getArg( "basedn" );
-        filter = "(associatedDomain=" + target + ")";
+        filter = strbind( ":target:", "(associatedDomain=" + qesc + ")", getArg( "filter-axfr" ) );
         m_msgid = m_pldap->search( dn, LDAP_SCOPE_SUBTREE, filter, (const char**) ldap_attrany );
         m_pldap->getSearchEntry( m_msgid, m_result, true );
@@ -141 +144 @@
 
         prepare();
-        filter = "(associatedDomain=*." + target + ")";
+        filter = strbind( ":target:", "(associatedDomain=*." + qesc + ")", getArg( "filter-axfr" ) );
         DLOG( L << Logger::Debug << m_myname << " Search = basedn: " << dn << ", filter: " << filter << endl );
         m_msgid = m_pldap->search( dn, LDAP_SCOPE_SUBTREE, filter, (const char**) ldap_attrany );
@@ -212 +215 @@
                 attributes = attronly;
         }
+
+        filter = strbind( ":target:", filter, getArg( "filter-lookup" ) );
 
         DLOG( L << Logger::Debug << m_myname << " Search = basedn: " << getArg( "basedn" ) << ", filter: " << filter << ", qtype: " << qtype.getName() << endl );
@@ -256 +261 @@
         }
 
+        filter = strbind( ":target:", filter, getArg( "filter-lookup" ) );
+
         DLOG( L << Logger::Debug << m_myname << " Search = basedn: " << getArg( "basedn" ) << ", filter: " << filter << ", qtype: " << qtype.getName() << endl );
         m_msgid = m_pldap->search( getArg( "basedn" ), LDAP_SCOPE_SUBTREE, filter, (const char**) attributes );
@@ -271 +278 @@
 
 
-        qesc = toLower( qname );
+        qesc = toLower( m_pldap->escape( qname ) );
         filter = "(associatedDomain=" + qesc + ")";
 
@@ -281 +288 @@
                 attributes = attronly;
         }
+
+        filter = strbind( ":target:", filter, getArg( "filter-lookup" ) );
 
         stringtok( parts, qesc, "." );
@@ -489 +498 @@
                 declare( suffix, "secret", "User password for non anonymous binds", "" );
                 declare( suffix, "method", "How to search entries (simple, strict or tree)", "simple" );
+                declare( suffix, "filter-axfr", "LDAP filter for limiting AXFR results", ":target:" );
+                declare( suffix, "filter-lookup", "LDAP filter for limiting IP or name lookups", ":target:" );
                 declare( suffix, "disable-ptrrecord", "Depricated, use ldap-method=strict instead", "no" );
         }

trunk/pdns/pdns/docs/pdns.sgml

@@ -84 +84 @@
       <sect2 id="changelog-2-9-18"><title>Version 2.9.18</title>
         <para>
-          Released on the 14th of July 2005.
+          Released on the 16th of July 2005.
         </para>
         <para> 
@@ -92 +92 @@
         </para>
         <para>
-          This release brings a number of new features,
-          but also has a new build dependency, the <ulink url="http://www.boost.org">Boost library</ulink>.
+          This release brings a number of new features (vastly improved recursor, Generic Oracle Support, DNS analysis and replay tools, and more) 
+          but also has a new build dependency, the <ulink url="http://www.boost.org">Boost library</ulink> (version 1.31 or higher).
         </para>
         <para>
@@ -108 +108 @@
         </para>
         <para>
+          Additionally, the bind2backend is almost ready to replace the stock bind backend. If you run with Bind zones, you are cordially invited
+          to substitute 'launch=bind2' for 'launch=bind'. This will happen automatically in 2.9.19!
+        </para>
+        <para>
           In other news, the entire Wikipedia constellation now runs on PowerDNS using the Geo Backend! Thanks to Mark Bergsma
           for keeping us updated.
         </para>
         <para>
-          General bugs fixed:
+          There are two bugs with security implications, which only apply to installations running with the LDAP backend, or installations providing recursion
+          to a limited range of IP addresses. If any of these apply to you, an upgrade is highly advised:
           <itemizedlist>
             <listitem>
               <para>
-                TCP authoritative server would not relaunch a backend after failure (reported by Norbert Sendetzky)
-              </para>
-            </listitem>
-            <listitem>
-              <para>
-                Fix backend restarting logic (reported, and fix suggested by Norbert Sendetzky)
-              </para>
-            </listitem>
-            <listitem>
-              <para>
-                Launching identical backends multiple times, with different settings, did not work. Reported by Mario Manno.
+                The LDAP backend did not properly escape all queries, allowing it to fail and not answer questions. We have not investigated further risks involved,
+                but we advise LDAP users to update as quickly as possible (Norbert Sendetzky, Jan de Groot)
               </para>
             </listitem>
@@ -136 +132 @@
               </para>
             </listitem>
+          </itemizedlist>
+        </para>
+        <para>
+          General bugs fixed:
+          <itemizedlist>
+            <listitem>
+              <para>
+                TCP authoritative server would not relaunch a backend after failure (reported by Norbert Sendetzky)
+              </para>
+            </listitem>
+            <listitem>
+              <para>
+                Fix backend restarting logic (reported, and fix suggested by Norbert Sendetzky)
+              </para>
+            </listitem>
+            <listitem>
+              <para>
+                Launching identical backends multiple times, with different settings, did not work. Reported by Mario Manno.
+              </para>
+            </listitem>
+
             <listitem>
               <para>
@@ -338 +355 @@
               </para>
             </listitem>
-
             <listitem>
               <para>
@@ -4077 +4093 @@
     <sect1 id="security-policy"><title>Security</title>
       <para>
-        As of the 5th of February 2005, no actual security problems with PowerDNS 2.9.17 or later are known about. This page 
+        As of the 16th of July 2005, no actual security problems with PowerDNS 2.9.18 or later are known about. This page 
         will be updated with all bugs which are deemed to be security problems, or could conceivably lead to those. Any such notifications
-        will also be sent to all PowerDNS mailinglists and BUGTRAQ.
+        will also be sent to all PowerDNS mailinglists.
+      </para>
+      <para>
+        All versions of PowerDNS before 2.9.18 contain the following two bugs, which only apply to installations running with the LDAP backend, or installations providing recursion
+        to a limited range of IP addresses. If any of these apply to you, an upgrade is highly advised:
+        <itemizedlist>
+          <listitem>
+            <para>
+              The LDAP backend did not properly escape all queries, allowing it to fail and not answer questions. We have not investigated further risks involved,
+              but we advise LDAP users to update as quickly as possible (Norbert Sendetzky, Jan de Groot)
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              Questions from clients denied recursion could blank out answers to clients who are allowed recursion services, temporarily. Reported by Wilco Baan.
+              This would've made it possible for outsiders to blank out a domain temporarily to your users. Luckily PowerDNS would send out SERVFAIL or Refused, and
+              not a denial of a domain's existence.
+            </para>
+          </listitem>
+        </itemizedlist>
       </para>
       <para>
@@ -5376 +5411 @@
             POSIX get/set/swapcontext functions. Bug your favorite FreeBSD kernel or libc maintainer for a fix,
             or ask him to port MTasker (see below) to your operating system. It may work on recent 4.x systems, 
-            letus know!
+            let us know!
           </para></listitem>
         <listitem><para>
@@ -6828 +6863 @@
   </chapter>
   <chapter id="analysis"><title>Tools to analyse DNS traffic</title>
-  <para>
-    DNS is highly mission critical, it is therefore necessary to be able to study and compare DNS traffic. Since 2.9.18, PowerDNS comes
-    with three tools to aid in analysis:
-    <variablelist>
-    <varlistentry>
-    <term>dnsreplay pcapfile [ipaddress] [port number]</term>
-    <listitem>
     <para>
-    This program takes recorded questions and answers and replays them to a specified nameserver and reporting afterwards
-    which percentage of answers matched, were worse or better.
-    </para>
-    </listitem>
-    </varlistentry>
-    <varlistentry>
-    <term>dnswasher pcapfile output</term>
-    <listitem>
-    <para>
-    Anonymises recorded traffic, making sure it only contains DNS, and that the originating IP addresses of queries are stripped, which may
-    allow you to send traces to our company or mailing list without violating obligations towards your customers or privacy laws.
-    </para>
-    </listitem>
-    </varlistentry>
-    <varlistentry>
-    <term>dnsscope pcapfile</term>
-    <listitem>
-    <para>
-    Calculates statistics without replaying traffic
-    </para>
-    </listitem>
-    </varlistentry>
-    </variablelist>
+      DNS is highly mission critical, it is therefore necessary to be able to study and compare DNS traffic. Since 2.9.18, PowerDNS comes
+      with three tools to aid in analysis:
+      <warning>
+        <para>
+          As of 2.9.18 these tools are somewhat rough - they have no help messages for example. They do work though.
+        </para>
+      </warning>
+      <variablelist>
+        <varlistentry>
+          <term>dnsreplay pcapfile [ipaddress] [port number]</term>
+          <listitem>
+            <para>
+              This program takes recorded questions and answers and replays them to a specified nameserver and reporting afterwards
+              which percentage of answers matched, were worse or better.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term>dnswasher pcapfile output</term>
+          <listitem>
+            <para>
+              Anonymises recorded traffic, making sure it only contains DNS, and that the originating IP addresses of queries are stripped, which may
+              allow you to send traces to our company or mailing list without violating obligations towards your customers or privacy laws.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term>dnsscope pcapfile</term>
+          <listitem>
+            <para>
+              Calculates statistics without replaying traffic
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
     </para>
   </chapter>
@@ -8823 +8863 @@
     <sect1 id="ldap"><Title>LDAP backend</title>
       <para>
+        <warning>
+          <para>
+            This documentation has moved to <ulink url="http://wiki.linuxnetworks.de/index.php/PowerDNS_ldapbackend">its own page</ulink>. The information in this chapter
+            may be outdated!
+          </para>
+        </warning>
+      <para>
         The main author for this module is Norbert Sendetzky who also has his own <ulink url="http://www.linuxnetworks.de/pdnsldap/index.html">PowerDNS-LDAP page</ulink>.
+      </para>
+      <para>
+        He also maintains the <ulink url="http://wiki.linuxnetworks.de/index.php/PowerDNS_ldapbackend">LDAP backends documentation</ulink> there. The information 
+        below may be outdated!
       </para>
       <para>